According to the EU Commission, whistleblower protection could save governments between 5.8 and 9.6 billion Euros annually. And that’s just in the area of public procurement alone.
By late 2021, all EU Member States will have to comply with a new Whistleblower Directive designed to protect those who report violations of EU laws. In this guide you’ll learn the details of the Directive and steps to take to make sure your organization is compliant by the deadline.
Don’t just do the bare minimum. Download our cheat sheet, “6 Ways to Get the Most Out of Your Whistleblower Program,” to ensure your program is effective and efficient.
In September 2019, the European Union adopted a directive designed to protect “persons who report breaches of Union law.” Currently, each Member State has its own whistleblower protection laws, with disparate laws surrounding types of permitted reports, who is protected and to what extent.
The Directive, however, will establish a set of common minimum standards for responding to and investigating reports. Member States will be able to dictate certain details of their whistleblowing laws, such as whether or not anonymous whistleblowing will be permitted.
Whistleblowers will be allowed to report violations of a wide range of EU laws, including concerns with public health, transportation safety, consumer protection and data privacy. Additionally, Member States may broaden the scope of permitted reports to include violations of their country’s laws.
Below you’ll find answers to some of the most commonly asked questions about the EU Whistleblower Directive.
According to the Directive, a worker is someone “who, for a certain period of time, perform[s] services for and under the direction of another person, in return for which they receive remuneration.” As per this definition, workers are not just full-time employees, but also part-time workers, contractors, interns and temporary workers.
Note that a whistleblower doesn’t have to be a paid worker nor a citizen of the EU to submit a report. As long as they obtained the information during a work-based relationship (they may have ended their work with the organization or not started it yet), they are protected under the Directive.
Note: Anonymous whistleblowers who are identified later are protected by the Directive.
The Whistleblower Directive applies to private organizations that employ more than 50 workers. In addition, local authorities that serve more than 10,000 people must comply with the Directive.
The law is unclear about whether all 50 workers have to be physically located in the EU or if non-EU entities with 50+ workers located in the EU must comply.
Organizations that employ 250 or more workers have a compliance deadline of October 2021. Those with 50 to 249 employees must comply by October 2023.
In order to comply with the Whistleblower Directive, organizations must implement internal reporting channels. These must include methods for reporting:
- In writing, such as by mail, a complaint box or a webform
- Orally, by telephone hotline or voice messaging system
- In person (at whistleblower’s request, within a reasonable timeframe)
Your organization’s internal reporting system is part of a three-tier system. This includes:
- Internal reporting, which whistleblowers are encouraged to use first
- External reporting to local authorities
- Public reporting to the media, which should only be used when there are “reasonable grounds to believe that there is an imminent or manifest danger to the public interest, or a risk of irreversible damage, including harm to a person’s physical integrity.”
After you set up the reporting channels, make sure you provide sufficient information to workers about how to report both internally and externally.
Because the Directive emphasizes confidentiality as a key responsibility for employers, ensure your channels are secure and GDPR compliant. This is especially important if you use a third-party vendor to process your reports.
i-Sight provides a secure and confidential solution for capturing, processing, investigating and analyzing reports and can even integrate with your current intake channels. Learn more here.
Display this whistleblower hotline poster in common areas of your workplace to ensure workers know how and where to submit reports.
One main point of the Directive is to protect whistleblowers from retaliation. Not only does the law prohibit direct retaliation against the reporter, but also indirect retaliation aimed at their colleagues, family or friends.
Retaliation against whistleblowers shouldn’t be allowed in your workplace anyway, but the Directive makes it against the law. Examples include negative performance reviews, transfer or reduction of duties or other forms of discrimination.
To comply with the EU Whistleblower Directive, you’ll also need to establish an impartial team or employee to handle reports. From intake through the final investigation report, this team or person must carry out their duties without influence or conflict of interest.
According to the Directive, investigations must be diligent, confidential and accurate. Investigators may ask whistleblowers for more information, but must not demand it.
The Directive also lays out timelines for addressing whistleblower reports. After receiving a report, organizations must send the whistleblower a receipt of the report within seven days. Within three months, they must provide the reporter with feedback that includes actions that were or will be taken as a result of the report and reasons for that decision.
Alja Poler De Zwart, parter at Morrison & Foerster LLP, clarifies that
“the whistleblower does not need to receive this feedback as long as providing it could prejudice the investigation or affect the rights of the implicated individuals. Where the appropriate action still needs to be determined, the whistleblower also needs to be informed accordingly. Note that in all cases, the whistleblower should be informed of the investigation’s progress and outcome.”
Even though the EU Whistleblower Directive doesn’t take effect until 2021, get a head start on compliance now. This way, you’ll be sure your processes comply with the law (so you won’t risk hefty fines) and fit into your day-to-day operations.
As if complying with the EU Whistleblower Directive isn’t enough of an incentive, encouraging whistleblowers can save your organization money and reputation damage. If a reporter doesn’t come forward, an issue (such as fraud or harassment) could escalate into a major problem. Early warning lets you address the matter internally and faster.
Encourage a culture of ethics and transparency in your organization. Make sure that your reporting channels don’t discourage whistleblowers by being too difficult to find or use. Update your policies and procedures to prohibit retaliation. You may even want to offer incentives to whistleblowers whose reports save you from legal or reputational risks.
Using a third-party vendor to handle your whistleblower reports may help with impartiality and staffing concerns. However, it’s your responsibility to ensure they handle your workers’ data with privacy and confidentiality.
If you use a third party, audit them annually to make sure they comply with both the Directive and the GDPR. You’ll protect not only your employees’ sensitive information but, also, potentially, your reputation and finances.
If you don’t already have reporting channels in place, establish them now. If you do, assess their ability to meet the Directive’s requirements. For instance, is your current system capable of investigating reports within the Directive’s timelines? Do you have enough staff to handle the number of reports you’ll receive when you widen the scope?
Most importantly, stay up to date on the Directive. The law may be amended or updated in the next few years, so make sure you know the latest requirements. Because each Member State mandates certain aspects of the Directive, research specifics on how to comply in your country.